Security optimize

Windows firewall: Overhead or additional protection?

Too many times the value of built-in firewalls may be overlooked. IT pro Rick Vanover explains pros and cons of using firewalls in the operating system.

In the course of administering servers, I’ve generally preferred to use firewalls via an appliance to dictate traffic patterns at the network level. Using firewalls, namely Windows firewall, that comes built-in with operating systems, I have generally preferred not to use. So much so, that I have committed to memory the command on modern Windows systems to disable the firewall service for all profiles:

netsh advfirewall set allprofiles state off

In a conversation with another administrator who specializes in Linux systems, the topic came up about using built-in firewalls. The other administrator commented, “I’d love to see all of your Windows systems use Windows firewall.” The comment made me stop and think for a bit. Primarily, I was expecting something snarky related to the Windows vs. Linux differences that we have. The other administrator continued to say that Windows firewall does a good job at what it is intended to do.

My background is Windows-centric, and that much I did agree with. Windows firewall does do a good job of managing traffic patterns in and out of the system, including block rules and configurations to the port level. This can go one step further and utilize what I feel is the best product Microsoft has ever made in Group Policy. Group Policy in Active Directory can be configured to centrally manage and push Windows firewall configurations very easily.

So the question becomes, do we forgo the use of appliance firewalls and favor firewalls built-in to operating systems? I don’t think that is realistic, but I do think that a case can be made to rethink the use of Windows firewall for systems generally on the network. This isn’t to say that the practice wouldn’t require some enhanced governance and management, however. Besides, a firewall rule that is too restrictive on the host can not only cut off desired communication patterns; but can possibly remove the administrative interfaces.

The only way I see built-in firewalls being a viable option, even for trust zones that are not security-critical, is to be centrally managed. In the case of Windows firewall, Group Policy is the right vehicle for this.

What are your thoughts on using Windows Firewall on a widespread basis? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

41 comments
clindell
clindell

Forget the desktops and clients, lets talk about servers, Windows Servers. Do you feel that the Windows firewall with advanced protection enhances security or hinders it on a Windows server? Forget any other O/S, this is for those of us who need to manage windows servers. IF you are in a windows shop you have no choice, this is what we work on. We all likely understand there are other things we do and use to keep our networks and systems secure on multiple levels. So do you feel that using Windows firewall is a benefit or causes more grief than needed and either disable it if necessary or turn it off by running netsh advfirewall set profiles state off? Do you run the UAC on your servers? Do you feel they provide additional protection and enhance security or hinder it on a Windows server?

Who Am I Really
Who Am I Really

On: for a standalone system: ie. for the one machine office or home but, Off on my network as it's a Royal PITA just trying to access files on other systems with it on the security router is the firewall

cbader
cbader

I turn it off and use either Comodo or Ill buy the full security suite from Kaspersky and use their firewall.

nwallette
nwallette

I've fixed a ton of problems with extra layers in the Windows networking stack. When I became responsible for a Windows domain, my GP was set to stop the ICS/Firewall service entirely on servers and workstations, but enable it with a minimal ruleset on laptops. IMHO, the Windows codebase is a behemoth of parts that are too integrated for anyone's good. It's all duct tape and bailing wire. The less of it running, the better. That said, I wouldn't put a Windows box directly on the Internet if I had the choice -- firewall or no. Not to make this a Win-Lin debate, but a Linux system running iptables is about the only software firewall I have any trust in. (I use it as my home router actually -- 500 days uptime, filled the flash disk several times with logs of break-in attempts, but still working like a charm.) The one advantage software firewalls have is application-level security going out of a host. In that case, and to keep an infected PC from spreading its digital germs in a trusted network, I can kinda see the reasoning. But then it's only as good as the buffer overflow protection and permissions allow it to be.

kkernspa
kkernspa

In a corporate network environment, it behooves the network administrator to do their level best to secure the network and its resources. With that said, so long as the security used does not hinder user productivity, then it should remain. I personally do not see Windows Firewall as a hinderance to workstation users and would make use of the centralized administration tools available to administrate it.

HaroldHO
HaroldHO

Unless you're utilizing group policy to propagate firewall rules and connection security rules, you aren't even scratching the surface of Windows Server 2008/Vista+'s Windows Firewall with Advanced Security. The ability to customize is really impressive compared to its predecessors, and the ability to configure rules based on profile is useful as well. For instance - configuring a relatively lax firewall policy for the Domain policy on a laptop and a more strict policy on the alternate policies means the firewall will be dynamic depending on the situation. Also, with the connection security rules, you can configure ipsec authentication and encryption on specific source or destination ports or IP addresses. This is especially useful for applications that don't support encryption at the application layer, as you can let the operating system establish the ipsec connection - while it adds additional processing overhead, it's seamless to the application.

andykrantz
andykrantz

"So the question becomes, do we forgo the use of appliance firewalls and favor firewalls built-in to operating systems?" You'd have to be crazy to consider that! You should *always* protect the perimeter of your network with hardened firewalls (appliance or Linux) and use the windows firewall (group managed or not) as a second line of defence. Your Linux admin friend is right - the Windows firewall does a good job of of what it is *intended* to do. Perimeter firewalls is the belt, Windows firewall is the suspenders. I'm a linux sysadmin and I use the windows firewall on my Vista laptop because it is simple, effective, and doesn't cost extra.

HckrAdm2005
HckrAdm2005

We use windows firewall for our local machine but managed via group policy. it works quite well and gets he job done without having to buy an apliance or setup an opensource equivalant.

wiktor00000
wiktor00000

? ???? ???????? (windows xp) ? ????????? ?? ????? ???? ?????? ???????? ?????????

The 'G-Man.'
The 'G-Man.'

should build in small hardware firewalls into the cards / main boards that run outside any installed OS. That would be another option.

Colnar
Colnar

I turn it off as well. I find it more of a nuisance than a help. It makes it extremely difficult to remotely manage PCs and server within the network.

reggaethecat
reggaethecat

One of the first things I do when building a server is turn off the firewall. The Security Configuration Wizard is the thing to use if you need extra security. But I tend to trust my main firewalls. In my view, Microsoft should concentrate on having Windows as locked-down as possible out of the box, ? la Ubuntu, then we wouldn't need to have this discussion. But I appreciate that some open ports are necessary for communication with the outside world.

b4real
b4real

Do these offerings have a centralized management piece? I think that's critical for client and server firewall implementations.

AnsuGisalas
AnsuGisalas

who said he could set up a 386 linux machine as a router so that it would automagically drop the connections of IP scanners. I was getting a lot of scanner traffic back then, so it stuck with me. Never got around to picking his brains about it though. Now I have a physical router, and it's not set up to show me the scanner traffic. So I don't know if it's a problem any more.

b4real
b4real

I didn't even go into the IPSec policies. I'd argue that those are amongst the most robust out there when group policy roles into the mix. Don't steal my thunder!

learn4ever
learn4ever

...the two are different animals. But there are still better choices than Windows firewall if you need one on the server.

tbostwick
tbostwick

In my experience, I'd say about 95% of the time, the typical user "believes" their machine is protected from viruses and actually has no clue what a firewall is. Those that do simply state, I was told that Windows has it's own firewall. When I look at the routers, WiFi appliances and their network in general - nothing is setup, all policies are done on the PC in Admin mode, and nothing is locked down. No user should ever rely on Windows firewall, no matter what version you're using (XP, Vista, or Windows 7). This is like walking outside with only your underwear on in the middle of winter. You're only going to get so far before you die. Every home PC/Mac setup should start with an appliance that's capable of being the firewall (router usually), and only a few do that job well. Then, move to the software variety on the clients and lock things down - password access to the router, and setup policies that restrict what gets in/out. It's no wonder that sooo many casual users are hitting the repair stores within 6 months of a new PC purchase. If only the industry and the merchants that sell them, would emphasize security first and how to use it - we could virtually eliminate a whole segment of unneeded repairs and maintenance for PC's that is now commonplace across America. We are simply an ignorant people when it comes to the eye-candy and electronic goodies before our eyes.

b4real
b4real

The question is do we SUPPLEMENT the permiter with Windows Firewall.

ylto
ylto

I also run the Windows firewall on my client PCs, because even if they DO have perimeter security, there is nothing saying that infected PC cant emerge from behind the firewall. The overhead is minimal, and like the original poster, where security is concerned I like my belt AND my suspenders

b4real
b4real

In my opinion. With a name like "HckrAdmin2005" I trust you on this one! Welcome to TechRepublic by the way, seeing that you've joined today.

b4real
b4real

Have any links to that, and I'm curious what those can protect against/features to offer.

learn4ever
learn4ever

I find that it's too difficult to tell what exactly the firewall is going to filter. The behaviour is unpredictable, and the risk of remote access being interrupted is too great.

wlportwashington
wlportwashington

I use hardware firewalls on our domain and on our workgroups. The built in one not only adds overhead, I have seen the Windows Firewall inhibit network communications and stop our users from doing their jobs. Even with exceptions. I put on Zonealarm on our laptops for the road warriors only. For me, the Windows firewall is useless.

Slayer_
Slayer_

Ubuntu is known as one of the least locked down distros of Linux.

nwallette
nwallette

It's a constant barrage. Port scans, login attempts on every service (FTP, SSH, POP3...), nearly constant mail bounce notifications for messages I never sent on SMTP. If you have anything listening on your box, someone (or some script) is trying to find a way in. It's ugly out there. I've considered using/writing a script that logs failed connection attempts and starts temporarily banning IPs that cross some threshold. I've just been too lazy. Sooner or later, though, someone's going to brute force a password. I just hope I've made it long and complex enough to keep it from happening before I implement some sort of intrusion prevention.

shryko
shryko

it's been mentioned before, people don't sell stuff that will put them out of a job, when they're A) aware it'd kill their job, and B) not forced to sell it (think vaccines). The sales people are often in a store where the machine would return for repairs. Sell something that will need repairs, and you've almost guaranteed that it will come back to you, first... giving you MORE income. Why sell something and be sure that you're not going to get that income later? ignorant public, greedy big corporations, uncaring support staff... The 3 big issues that are why things are this way. Please note, I know several people who sell systems that are pre-hardened, and that is what they advertise... They buck the trend, but when mass-marketing is done mostly in the big-box stores, the security front isn't what gets emphasized...

Jasonjb1222
Jasonjb1222

I don't use it and disable it by default, because I don't like the Windows F/W in Windows XP. However, coming back to the original point; would you wear a helmet instead of a seatbelt?

b4real
b4real

But I don't know about central management (analogous to group policy). Why would you do it another way in a mostly Windows world?

The 'G-Man.'
The 'G-Man.'

HckrAdm2005 Job Role: Networking / LAN Administration Location: middleton, Wisconsin Member since: 11/07/2006

b4real
b4real

I think, with centralized management of Group Policy, that it is far from useless. ZoneAlarm is surely a good product, but no one can tell me if it has centralized management.

AnsuGisalas
AnsuGisalas

They're just running the manufacturer default credentials short-list. Of course, there should be a service or agence to whom you could send your scanner logs. Then the evidence can be collated and botnets can be unravelled.

nwallette
nwallette

I wrote a perl script to extract all the unique IPs trying to login to some service and it was ridiculous.. The next step would be to put them in a table with a Count field and only bother with those that accounted for a significant percentage of the overall attempts. I have seen some pretty persistent attempts though. Login "Admin", login "Apple", login "Appliance", ...

AnsuGisalas
AnsuGisalas

Think about what you just said. Everybody gets scanned. That's extensive, not intensive. Brute-force hacking is intensive. They cannot, for all their botnets be at once intensive and extensive. They cast their nets wide and shallow, on account of all the stooges out there with admin accountname and admin password. The closest they come to extensive is a short list of manufacturer default passwords. They don't go at random into the small cloud of not-stooges and waste large amounts of resources on bruting what they don't know to be worth it. For those purposes they have spam, malware, social engineering, malicious sites, malicious ads etc. etc. Again, they don't get into 100% of all places that way either, but it's enough to make it worth their while, yet not enough to kill the goose that lays them golden eggs. EDIT: But yes, an IP timeout would help against some bruting. Unless they're using a botnet cloud. That way the repeats would be far between, too far to notice maybe.

techrepublic@
techrepublic@

Most of the internet visible GNU/Linux servers I manage are under a constant barrage of attacks. I once also thought of scanning the logs for attacks and auto creating iptable/firewall rules to drop traffic from those IPs, but a quick analysis of the logs revealed that the unique IPs numbered in the tens of thousand and rarely repeated. In situations like this, banning IPs will have little if any positive effect on security.

airjos
airjos

yesterday I agreed, and not or seems correct. Today it occurs to me that perhaps instead is correct if on a motorcycle, quad . . .

b4real
b4real

But not instead :)

b4real
b4real

Sounds roughly similar to some of the hard drive specifications (like zero out on tamper).